Kerberos error - KDC reply did not match expectations

Lamping, Paul A plamping at lake.ollusa.edu
Fri Oct 30 17:08:02 EDT 2009


Problem solved!

 

The trouble was the 'realm' parameter should have been named
"OLLUSA.EDU" and not "OLLUSA."  I had seen the OLLUSA name mentioned in
the Active Directory tools area, but I learned that the Kerberos domain
name is always the domain name (ollusa.edu) in upper case.  By viewing
the event logs on the AD server, I found a successful login that had
used the OLLUSA.EDU realm, so that provided the necessary clue.

 

Paul

 

From: Lamping, Paul A 
Sent: Thursday, October 29, 2009 5:46 PM
To: 'kerberos at mit.edu'
Subject: Kerberos error - KDC reply did not match expectations

 

I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to
authenticate against a Windows 2003 Active Directory server via
Kerberos.  I followed the instructions from the IBM website on Kerberos
integration
(http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i
bm.aix.security/doc/security/kerberos_auth_only_load_module.htm).

 

Whatever I do, I can't get my Kerberos user to authenticate when I login
or su to that user.  I get an "unable to authenticate" message and the
"KDC reply did not match expectations" in the syslog file.

 

Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate]
Error in getting TGT ...

Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not
match expectations

Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping
to krbtest at /dev/pts/60

 

Here's my config.krb5 command, run from our AIX server
olladmin_1.ollusa.edu:

config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s
ollusa4.ollusa.edu

 

I think that my REALM (the -r parameter) is OLLUSA because when I open
up "Active Directory Users and Computers" tool, the properties of the
main entry, ollusa.edu, says that the Domain name = OLLUSA.  I made sure
that it is capitalized in the krb5.conf file.

 

Our Active Directory admins ran the Ktpass command this way:

 

Ktpass -princ host/olladmin_1.ollusa.edu at OLLUSA -mapuser olladmin_1
-pass ******** -out olladmin_1.keytab

 

I transferred the keytab file and imported it using ktutil, creating
krb5.keytab.  I made sure that KVNO as listed in ktutil is the same as
the output of the Ktpass command.

 

I added these lines to my /usr/lib/security/methods.cfg

KRB5A:

        program = /usr/lib/security/KRB5A

        program_64 = /usr/lib/security/KRB5A_64

        options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no

 

KRB5Afiles:

        options = db=BUILTIN,auth=KRB5A

 

I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and
default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added
line "dns_lookup_kdc = true"

 

Then I created users in both AD and AIX, making sure that the AIX user
was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles"

 

I checked the clocks.  My AD server and my AIX server are 4 minutes
apart.  I think the Kerberos limit is 5 minutes.

 

So I've exhausted all the hints and advice that I've seen on all the
mailing lists and forums.  Does anyone have any more ideas?

 

Paul




More information about the Kerberos mailing list